|
|
Hi all, I have succeded in a PINless login in my setup. It is working fine if I call it once I am logged into Windows. As a reminder, my setup looks as follows: Cert and private key are stored on an Aladdin eToken, which I am using via OpenSC. I need to establish the VPN connection before the user is presented with GINA, i.e. the login prompt of Windows. My OpenVPN conf, aka aladdin3.ovpn: ---------------------------------------------------------------------------- client proto tcp dev tap management 127.0.0.1 9999 management-query-passwords remote vpn.globalways.net 443 ca "C:\\Dokumente und Einstellungen\\Administrator\\Desktop\\aladdin\\gw-ca.pem" pkcs11-providers "C:\\Programme\\Smart Card Bundle\\opensc-pkcs11.dll" pkcs11-slot-type label pkcs11-slot "OpenSC Card (Richard Hartmann)" pkcs11-id-type subject pkcs11-id "/C=de/ST=Bavaria/L=Munich/O=globalways GmbH & Co. KG/OU=IT Security/CN=Richard Hartmann/emailAddress=rh@xxxxxxxxxxxxxx" auth SHA1 cipher AES-256-CBC pull ---------------------------------------------------------------------------- My script to connect, called connect.bat (and yes, my PIN is 1234, atm :) ): ---------------------------------------------------------------------------- @echo on start /B C:\Programme\OpenVPN\bin\openvpn --config C:\Programme\OpenVPN\config\aladdin3.ovpn c:\Programme\sleep.exe 10 echo password "OpenSC Card (Richard Hartmann) token" 1234 | c:\programme\netcat\nc.exe -w 5 127.0.0.1 9999 ---------------------------------------------------------------------------- My Autoexnt.bat as per http://support.microsoft.com/kb/243486 : ---------------------------------------------------------------------------- @echo off C:\Programme\OpenVPN\bin\connect.bat ---------------------------------------------------------------------------- When i tail -f the server logs, I can see that the connection attempt is made shortly after the GINA appears. I can also see that the attempt times out, which makes me suspect that, for some reason, netcat is unable to pass the PIN to OpenVPN. I tried using --askpass, but OpenVPN does not seem to realize that it could use the pass for the PIN instead of trying to decrypt the key itself with it. Unfortunately, there is pkcs11-pin-cache as an option, but not pkcs11-pin-value. Making offering this as a compile time option along the lines of --askpass file would probably be neat, at some point. It is bad practice in most cases, but sometimes, you just need it. I suspect that I might need to play around with the dependencies of my Windows system service a bit, but I neither know how to do that nor would I know what OpenVPN requires. ______________________ OpenVPN mailing lists https://lists.sourceforge.net/lists/listinfo/openvpn-users |